Author: george.karpenkov Date: Fri Mar 30 18:20:08 2018 New Revision: 328912
URL: http://llvm.org/viewvc/llvm-project?rev=328912&view=rev Log: [analyzer] Fix assertion crash in CStringChecker An offset might be unknown. rdar://39054939 Differential Revision: https://reviews.llvm.org/D45115 Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/CStringChecker.cpp cfe/trunk/test/Analysis/string.c Modified: cfe/trunk/lib/StaticAnalyzer/Checkers/CStringChecker.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Checkers/CStringChecker.cpp?rev=328912&r1=328911&r2=328912&view=diff ============================================================================== --- cfe/trunk/lib/StaticAnalyzer/Checkers/CStringChecker.cpp (original) +++ cfe/trunk/lib/StaticAnalyzer/Checkers/CStringChecker.cpp Fri Mar 30 18:20:08 2018 @@ -395,8 +395,10 @@ ProgramStateRef CStringChecker::CheckBuf // Compute the offset of the last element to be accessed: size-1. NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>(); - NonLoc LastOffset = svalBuilder - .evalBinOpNN(state, BO_Sub, *Length, One, sizeTy).castAs<NonLoc>(); + SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy); + if (Offset.isUnknown()) + return nullptr; + NonLoc LastOffset = Offset.castAs<NonLoc>(); // Check that the first buffer is sufficiently long. SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType()); @@ -862,9 +864,10 @@ bool CStringChecker::IsFirstBufInBound(C // Compute the offset of the last element to be accessed: size-1. NonLoc One = svalBuilder.makeIntVal(1, sizeTy).castAs<NonLoc>(); - NonLoc LastOffset = - svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy) - .castAs<NonLoc>(); + SVal Offset = svalBuilder.evalBinOpNN(state, BO_Sub, *Length, One, sizeTy); + if (Offset.isUnknown()) + return true; // cf top comment + NonLoc LastOffset = Offset.castAs<NonLoc>(); // Check that the first buffer is sufficiently long. SVal BufStart = svalBuilder.evalCast(BufVal, PtrTy, FirstBuf->getType()); Modified: cfe/trunk/test/Analysis/string.c URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/string.c?rev=328912&r1=328911&r2=328912&view=diff ============================================================================== --- cfe/trunk/test/Analysis/string.c (original) +++ cfe/trunk/test/Analysis/string.c Fri Mar 30 18:20:08 2018 @@ -30,6 +30,7 @@ typedef typeof(sizeof(int)) size_t; void clang_analyzer_eval(int); int scanf(const char *restrict format, ...); +void *memcpy(void *, const void *, unsigned long); //===----------------------------------------------------------------------=== // strlen() @@ -1173,6 +1174,7 @@ void strcat_symbolic_src_length(char *sr clang_analyzer_eval(strlen(dst) >= 4); // expected-warning{{UNKNOWN}} } + // The analyzer_eval call below should evaluate to true. Most likely the same // issue as the test above. void strncpy_exactly_matching_buffer2(char *y) { @@ -1185,3 +1187,12 @@ void strncpy_exactly_matching_buffer2(ch // This time, we know that y fits in x anyway. clang_analyzer_eval(strlen(x) <= 3); // expected-warning{{UNKNOWN}} } + +struct S { + char f; +}; + +void nocrash_on_locint_offset(void *addr, void* from, struct S s) { + int iAdd = (int) addr; + memcpy(((void *) &(s.f)), from, iAdd); +} _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
